> ## Documentation Index
> Fetch the complete documentation index at: https://docs.briefer.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring SSO on a self-hosted instance

> Configure Briefer to use your single sign-on provider on your self-hosted Briefer instance.

<Note>
  SSO is an enterprise feature. This page covers how to configure SSO on your self-hosted Briefer instance.
</Note>

Configuring SS0 on your self-hosted Briefer instance allows you to use your own Identity Provider (IdP) to authenticate users. This way, you can have your users log in to Briefer using their existing credentials.

## Configuring SSO

Assuming you already have an IdP set up, you can configure Briefer to use it by setting the following environment variables:

* `OIDC_ISSUER_URL` is the URL of your IdP. For example, `https://keycloak.example.com/realms/your-realm`.
* `OIDC_CLIENT_ID` is the client ID that Briefer will use to authenticate with your IdP.
  Please use a confidential client so that a client secret is available.
* `OIDC_CLIENT_SECRET` is the client secret for the client whose ID is specified in `OIDC_CLIENT_ID`.
* `OIDC_REDIRECT_TIMEOUT` is the time that Briefer will wait for the user to authenticate with the IdP. The default is `1h` (1 hour), but you can set it to `Xm` (minutes) or `Xs` (seconds) too.
  <Info>
    This timeout determines the time-to-live of the cookies necessary for the SSO flow.
  </Info>
* `OIDC_ENCRYPTION_KEY` is a 32-byte key used to encrypt OIDC-related session data, like refresh tokens if your IdP supports them.
  You can generate a key using `openssl rand -base64 32`.

When using SSO you probably also want to set `DISABLE_EMAIL_LOGIN` to true so that users can *only* log in using SSO.

After setting these variables, you should see a "Log in with SSO" button on the login page.

## Managing users

Once you have SSO set up, you can manage users in Briefer by inviting them to your workspace using the same email they use in your IdP.

After authenticating through your IdP, Briefer will use the authenticated user's email to determine which workspaces they have access to.

Once you remove users from your IdP, they will no longer be able to log in to Briefer.

## Automatically creating users

If you want to automatically create users in Briefer when they log in for the first time, you should enable your workspace's "Auto-assign users from SSO" setting within the settings page.

When this option is enabled, Briefer will automatically add the user to that workspace when they log in for the first time.

<Note>**Existing** users will not be automatically added to the workspace when this setting is enabled.</Note>